Académique Documents
Professionnel Documents
Culture Documents
DOCUMENTATION
Table of Contents
1. Introduction.....................................................................................................................3
2. NFA Functionality.............................................................................................................4
2.1 Collector.................................................................................................................................4
2.2 Databases..............................................................................................................................4
2.3 Frontend................................................................................................................................5
2.3.1 Dashboards................................................................................................................6
2.3.2 Widgets.....................................................................................................................8
2.4 Data Explorer..........................................................................................................................9
2.4.1 Group & Order.............................................................................................................11
2.4.2 Filters.......................................................................................................................12
2.4.3 Devices.....................................................................................................................13
2.4.4 Time Intervals.............................................................................................................13
2.5 SQL Query Editor....................................................................................................................14
2.6 BGP Data..............................................................................................................................14
2.6.1 BGP Table..................................................................................................................16
2.6.2 BGP Sankey Diagram..................................................................................................16
2.7 Alerts....................................................................................................................................17
2.7.1 Creating Alerts..............................................................................................................17
2.7.2 My Alerts...................................................................................................................19
2.7.3 Active Alerts..............................................................................................................19
2.7.4 History of Alerts........................................................................................................19
3. Management.................................................................................................................20
3.1 Access and Security..............................................................................................................20
3.2 User Management.................................................................................................................20
3.3 User Profile...........................................................................................................................21
3.4 System Notifications.............................................................................................................21
3.4.1 System Notifications Overview...................................................................................21
3.4.2 System Notification Channels Configuration................................................................22
3.4.3 System Notification Subscriptions...............................................................................22
3.4.4 Notification Text Details..............................................................................................24
3.5 License Status......................................................................................................................24
3.6 Billing Info............................................................................................................................24
3.7 NFA Version..........................................................................................................................25
4. System Requirements....................................................................................................25
5. Support ........................................................................................................................25
6. Flow export configuration on network devices.................................................................26
1. Introduction
Noction Flow Analyzer (NFA) is a web-based network traffic analysis, monitoring and alerting
tool. The product enables engineers to optimize their networks and applications performance,
control bandwidth utilization, do the proper network capacity planning, perform detailed BGP
peering analysis, improve security and minimize network incidents response time.
Noction Flow Analyzer contains a few fundamental components, which working together
implement the main function of NFA - offer timely traffic flows information that is easy to
interpret and analyze.
Collector (nfaflowd) receives, analyzes and processes all traffic transiting a network.
NFAAPId represents a set of secure web services that collect data from Databases. A valid
NFA user-id is required to access most of the API services. Access NFA’s frontend to manage
users or configure external User Directories. NFA API uses an authentication mechanism based
on authentication tokens. The token is passed as a query parameter for all API requests that
require authentication.
Frontend represents a complex browser application which interacts with NFAAPId. It offers a
comprehensive set of reports, graphs and flows information which can reflect the current and
historical state of a network.
Databases: NFA uses two databases: MySQL (configuration) and ClickHouse (Data Mart), that
act relating to the central repository which stores processing results.
NFA BGP daemon stores and keeps all routes and adds AS Path to traffic flow.
2. NFA Functionality
2.1 Collector
Collector is one of NFA’s most important components. It receives, analyzes and processes all
traffic transiting the network and transfers data in a compatible mode to NFA Databases - MySQL
and ClickHouse. It processes the most common types of Flow: NetFlow, sFlow, J-Flow, IPFIX,
NetStream.
sFlow (6343 port) is a protocol designed for monitoring network, wireless and host devices.
Developed by the sFlow.org Consortium, this protocol is supported by a wide range of network
devices, as well as routing software and network solutions. sFlow, short for “sampled flow”, is
an industry-standard for packet export at Layer 2 of the OSI model. It provides the means for
exporting truncated packets, together with interface counters. It’s a packet sampling for an
N number of packets with all required statistical information and expedited to the destination
collector. The information details taken from the packet are the headers from Layer 3 and 4
and some information about the upper layers’ data only. For example, if the HTTP protocol is
present, sFlow will guarantee data confidentiality since it will not extract the information from
the packet and will not collect all network sessions.
NetFlow (2055 port) is an IP network statistics protocol developed by Cisco Systems, Inc.
that offers the ability to collect IP session network traffic as it enters or exits an interface. By
analyzing the data that is provided by NetFlow a network administrator can determine things
such as the source and destination of traffic, class of service, and the cause of congestion.
Juniper routers offer a similar feature called J-Flow which in its essence is the same Cisco
NetFlow protocol.
Flow statistics are captured and stored in DB which NFA’s graphical interface subsequently
offers to users as dashboards, charts, and reports with filtering, grouping and aggregation
functions as well as in the form of an SQL query editor that can be used to extract the data of
interest.
Network devices should be first configured to forward Flow statistics to NFA in order for it
to get the initial data to operate on. NFA listens to Flow stats on the default protocol ports.
Consult section 6 of this document for the examples of Flow export configuration on common
network devices.
Note: Set the frequency of Flow exports on network devices as frequent as possible. For best
results export intervals should be set to 1 min or even less.
2.2 Databases
NFA processes huge volumes of data and uses two databases to store all the related
information: MySQL and ClickHouse. The accumulated information is used by other NFA
components to provide a graphical view of flow parameters.
MySQL is the most popular Open Source SQL database management system, developed,
distributed, and supported by Oracle Corporation. It plays the role of NFA’s system data
depository which possesses configuration, dashboard, device and user information.
ClickHouse benefits:
• Extremely Fast scans that can be used for real-time queries.
• Real-time data ingestion
• Parallel processing for a single query
• Hardware efficient
• Scales well both vertically and horizontally
2.3 Frontend
NFA main page is designed to display a dashboard of choice and offer facilities to access all
application features via its main menu, navigation buttons, and links.
2.3.1 Dashboards
NFA dashboards are the specific sets of flexible and interactive visualizations, designed for
quick analysis of the network traffic data and informational awareness. Dashboards consist
of widgets - containers with graphical representations of specific data, which can be added,
edited, positioned, deleted or modified as you like.
NFA allows users to set up multiple dashboards. To see a list of existing dashboards, click the
All Dashboards link in the top menu.
Dashboards are grouped for easy access into recent, favorite and all. For each dashboard, the
directory displays the following information:
• Default status: the default dashboard the user lands on when logging into NFA
You can easily create a new dashboard in NFA from the All Dashboards directory.
Click the “CREATE NEW DASHBOARD” button at the top left corner of the directory. A pop up will
appear. Provide a meaningful name and description for your dashboard. Mark if you’d prefer it to
be a “Shared” (all NFA users will have access to dashboard) and/or “Favorite” dashboard. Press
“Create & Switch” to continue, or “Close” to return to the directory.
Alternatively, you can create a new dashboard by cloning an existing one in the All Dashboards
directory.
The clone dashboard will be automatically created along with widgets from the original dash-
board and added to the directory. Edit the newly created dashboard to change its name and
description.
Managing Dashboards
Access any of the dashboards you’ve created or had admin rights to. Click the padlock icon in
the top menu to add, edit and delete widgets or customize the dashboard’s layout.
Click the “Open Filters” button to apply temporary filtering conditions to all widgets displayed
on a given dashboard.
Deleting a Dashboard
Click the “Delete” icon on the dashboard you’d like to get rid of in the All Dashboards directory.
You can only delete a dashboard if you created it, or if you‘ve been granted the corresponding
admin rights.
2.3.2 Widgets
All network traffic information in NFA is graphically represented by widgets, which are the main
dashboard elements. Widgets encompass a particular query focusing on the desired network
feature. A library of widgets is maintained by NFA and allows users to reuse them across all
dashboards.
Use the Add Widget function available on each dashboard to see the library of existing widgets
and place the desired ones on a dashboard.
You can easily create a new widget from scratch by proceeding to Data Navigation > Data
Explorer in the top menu, selecting the filtering and grouping options and subsequently saving
the Data Explorer view as a new widget to the desired dashboard.
Alternatively, you can create a new widget by duplicating an existing one. Click on the existing
widget name to open it in Data Explorer. Make desired modifications and save it as a new widget.
Data Explorer can be accessed either from the Main Menu under ”Data Navigation” section or
by clicking on any widget’s header on dashboards. Any grouping and filtering criteria previously
setup in widgets will auto-populate in Data Explorer.
Data Explorer takes the ensuing statistics from the DB table Flows which includes but is not
limited by the following:
• Time
• IP version
• Destination and Source Address
• TOS - Type of Service
• Protocol
• Source and Destination Port
• In and Out interfaces
• Source and Destination AS
• Source and Destination VLAN
• Next Hop
NFA by default uses SUM aggregation functions over Packets and Octets flow metrics.
• Packets depict whether Packets, Octets, bits/s metrics are aggregated and plotted on charts
• Save as widget - prompts for a widget to be added to the library with this exact combo of
filters and group by criteria
• Display as - chart type icon allows switching between different ways to plot result data
Note: Top 10 results are shown by default in Data Explorer and the subsequently created
widgets. To change the default settings go to Advanced options and indicate the desired
number of results to be displayed on a graph. You can also limit the number of rows to be
shown in table.
2.4.2 Filters
Filters are used to constrain the analyzed data to a particular subset that matches filter criteria.
Filters can be applied while working with Dashboards or within Data Explorer. It is a very impor-
tant feature as it saves time and significantly reduces the workload.
Note: NFA applies AND | OR logical operation across conditions or groups of conditions. Thus
we can get various sessions like: IP address AND (port = 80 OR port = 443) when a particular
server web traffic is queried.
2.4.3 Devices
NFA devices inventory accumulates information about all types of network devices being used
and assigns them meaningful names. Devices can be assigned to sites/location and can further
enhance the grouping and filtering capabilities available for analysis.
Note that Flow stats received by NFA and NOT matched to any configured devices will be
assigned to a default Not Named device.
NFA overcomes the limitation of BGP support in traditional NetFlow. It employs a collection of
full BGP data from BGP tables of edge routers and extracting the required BGP attributes from
the tables. NFA extracts BGP attributes such as AS_PATH and matches the obtained data with a
corresponding flow record. This enables NFA to see and filter on the full BGP path, not just the
next hop, first three or last three AS numbers.
For Proper BGP Add-on functionality, configure iBGP session between NFA and your router(s).
Fill out the required fields and select the device type > BGP.
On the BGP Settings tab, provide the AS number, Peer Address (your router’s address) and the
NFA address (NFA internal address). Hit Add Device.
2.7 Alerts
NFA lets you set up a robust and customizable alert system that can proactively notify you
when important conditions are detected in your network traffic data. You can configure alerts
based on different characteristics and parameters of your network traffic: volume changes,
frequency, specific traffic type existence, duration, baseline or a complex combination of such
characteristics.
2. Enter a meaningful Name and Description for the Alert. Select an appropriate Priority
Level: Low, High or Critical.
When setting up numerous Rules with complex logic, checkmark and fill out the corresponding
“Use Complex Logic” field.
4. When relevant, checkmark and indicate the time interval during which the condition
should exist for an Alert Notification to be sent. Alternatively, checkmark and specify the
number of times an alert condition should change its state to “True” (e.g. Abnormal traffic
behavior detection scenario) within a specific time interval for the Alert Notification to be
sent. Proceed to Next Step.
5. On the Alert Details page, select if you’d like the alert to be activated immediately or at a
later date/time. Indicate the time interval between notifications, alert reset conditions and
snooze options to reduce alert fatigue.
6. Indicate email(s) or Slack channel you’d like the Alert Notifications to be sent to and
proceed to the Next Step.
Note: The notification channels must be properly set up from the Management > System
Notifications > Notification Channels section for users to receive alert notifications.
2.7.2 My Alerts
My Alerts section contains a list of Alerts that have been created by your NFA users. Depending
on the user access level you can edit, duplicate, delete alerts or turn them on/off.
Note: When you reset (acknowledge) an alert you are taking ownership of it. This means you
are aware of the conditions which triggered an alert and are taking action to solve the issue.
Follow your company’s guidelines on further actions once you acknowledge/reset a triggered
alert. Acknowledged/Reset triggered alerts will be flagged with your user name and moved to
the History of Alerts section.
All triggered alerts in NFA show up with UTC timestamps. This is specifically useful for teams
using NFA from multiple geographical time zones.
3. Management
Note: User Management function is available only to users with administrative privileges.
Once an NFA component is started, stopped or reconfigured it raises the following events:
BGPd raises the following events when BGP sessions are established/disconnected:
For the email channel configuration, specify the actual Email server and Server port as well as the
sender of email messages that will show in the receiver’s inbox. For Slack channel configuration,
specify the Slack bot name and the Slack Webhook URL (for more details on setting up incoming
webhooks visit https://api.slack.com/messaging/webhooks).
Find the list of your active subscriptions under Management > System Notifications. Search
through existing subscriptions, sort, view, edit or delete them.
To create a new subscription click the “Create New” button in the top right corner. A popup
window will appear. Under the ”Configuration” tab, provide your subscription topic and descrip-
tion. Choose the proper group or use the quick search option to find and checkmark the desired
event(s). Hit “Next”.
Now, under the “Details” tab, introduce the “Interval between notifications” as well as the
destination email or Slack channel. Optionally, specify when to Snooze Notifications if desired
and hit “Save”.
All fired events, can be found under Management > System Notifications > System Logs.
PURCHASE LICENSE redirects users to Noction’s billing system to place an order for a license.
4. System Requirements
Hardware Requirements:
• x86_64 architecture
• Minimum 4x core CPU (8x core CPU recommended)
• Minimum 32GB of RAM (64GB RAM recommended; 128GB RAM - optimal)
• Minimum 250GB SSD storage (500GB SSD storage recommended)
Software Requirements:
• CentOS 7 x86_64 Minimal - Clean Install
Note: NFA will install and operate below the recommended system requirements. However, as
the database size grows and if complex queries are used, this can result in slow performance.
The minimum system requirements assume default configuration. Significantly increasing the flow
collection rate might cause additional load on a server, thus requiring extra memory or a larger CPU.
5. Support
Noction support team is available 24/7. Please contact our support team by emailing
support@noction.com or by calling +1 (650) 903-7028.
Cisco XE:
The NetFlow infrastructure is based on the configuration and use of the following maps:
• Exporter Map
• Sampler Map
• Flow Monitor Map
1. Exporter Map. To configure the Exporter map, you need to define the destination (flow
collector), the source interface, the port used for exporting, the version of NetFlow, and the
timeout rates.
router(config)# sampler-map SM
router(config-sm)# random 1 out-of 1000
router(config)# exit
3. Flow Monitor Map. The Flow Monitor map defines the cache timeout values and associates the
exporter map with this map.
4. Apply the maps to the interfaces.Now that you have your maps defined, you need to apply the
Flow Monitor and Sampler maps to each of the provider interfaces:
jFlow-ipfix:
chassis {
fpc 0 {
sampling-instance nfa-instance;
}
}
interfaces {
xe-0/0/0 {
unit 0 {
family inet {
sampling {
input;
output;
}
}
}
}
}
forwarding-options {
sampling {
instance {
inst1 {
input {
rate 1024;
}
family inet {
output {
flow-server X.X.X.X {
port 2055;
version-ipfix {
template {
ipfix-templatev4;
}
}
}
inline-jflow {
source-address Y.Y.Y.Y;
}
}
}
}
}
}
}
services {
flow-monitoring {
version-ipfix {
template ipfix-templatev4 {
flow-active-timeout 60;
flow-inactive-timeout 60;
template-refresh-rate {
seconds 60;
}
ipv4-template;
}
}
}
}
jFlow-v9:
chassis {
fpc 0 {
sampling-instance nfa-instance;
}
}
interfaces {
xe-0/0/0 {
unit 0 {
family inet {
sampling {
input;
output;
}
}
}
}
}
forwarding-options {
sampling {
instance {
nfa-instance {
input {
rate 1024;
}
family inet {
output {
flow-server X.X.X.X {
port 2055;
version9 {
template {
v9-templatev4;
}
}
}
inline-jflow {
source-address Y.Y.Y.Y;
}
}
}
}
}
}
}
services {
flow-monitoring {
version9 {
template v9-templatev4 {
flow-active-timeout 60;
flow-inactive-timeout 60;
template-refresh-rate {
seconds 60;
}
ipv4-template;
}
}
}
}
sFLOW-Arista:
!
sflow run
sflow source $SOURCE
sflow destination $DESTINATION $PORT
sflow polling-interval 10
sflow sample $SAMPLING-RATE
!
By default the global enabled sflow will export the flow from all interfaces.
To disable the flow export on specific interface the #no sflow enable# is used in interface config
mode #(config-if)
Mikrotik:
Huawei NetStream:
Copyright ©2019 Noction Inc., All Rights Reserved. Noction logos, and trademarks or
registered trademarks of Noction Inc. or its subsidiaries in the United States and other
countries.
Other names and brands may be claimed as the property of others. Information
regarding third party products is provided solely for educational purposes.
Noction Inc. is not responsible for the performance or support of third party products
and does not make any representations or warranties whatsoever regarding quality,
reliability, functionality, or compatibility of these devices or products.